Tagging port on DSA router to VPN

Hi all. I have configured a WireGuard VPN on my OpenWRT install and can see that it is connected. I’m attempting to set one Ethernet port on the router to be bridged to the WG VPN and not on the LAN. The guide I found talks about using Network > Switch to configure this, however my router doesn’t have that. Google informs me it is a DSA router/switch and there’s a different way to do it. Can someone kindly point me in the right direction? I’m assuming I need to create a new bridge interface and set it to VPN and eth2 l but want to use this as a learning experience to do it the correct way.

Someone else asked almost the identical question earlier...

The short of it is that you have two options:

  • create a new network interface for the physical port you wish to connect to the VPN and then use policy based routing to steer connections on this port through the VPN and the other ports through the regular wan
  • if you have specific devices/IP addresses (for the host machines) that you want to go through the VPN, you can skip the process of creating a new network interface and simply specify that those IPs should always go through the VPN (again, using PBR).

@psherman - thank you for linking me! I read the thread and what you told me here. Unfortunately it's a bit beyond my comprehension level, but I'm trying to use this as a learning experience. I have played about with PBR but cannot get the LAN port mapped to the VPN. I can see the VPN running and exchanging packets with the server in Network > Interfaces, but when I plug directly into the eth2 port I'm trying to assign I get a local IP address and internet access from the WAN.

Any chance you can give me a basic outline of what I need to do? The VPN looks like it's set up correctly since I can see the handshake and packets being exchanged. It's just what I have to do inside of PBR.